Hi Guys,
The conclusion was to include support for security hardware for more
traditional smart card applications that are already widely deployed.
My personal belief is that this does not mean retrofitting the web for
the existing very diverse set of cards out there because this would lead
to "Driver Hell". There were also moderate interest in supporting
smart cards at the APDU-level although that (on paper) would give
support for every card.
As a Google representative said: I don't think many web-developers
would be able to write a login solution based on APDUs. So right!!!
So what does that lead us? IMO, the only workable solution is creating
a "WebToken" along the lines of FIDO but using a different access control/
mediation mechanism to get away from the SOP constraint which does
not match current use of smart cards.
If this actually succeeds it would be no less than a revolution!
Anders